
RansomHouse
Ransomware-as-a-service group; claimed Trellix source-code breach in April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
What can attackers do with Trellix source code that RansomHouse now holds?
Timeline for RansomHouse
Posted alleged internal system screenshots from inside Trellix on its leak site on or around 11 May 2026
Cybersecurity: Threats and Defences: RansomHouse posts Trellix internal screenshots as extortion leverageClaimed the Trellix source-code compromise occurred on 17 April without publicly releasing data
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repositoryHas RansomHouse released the Trellix source code?
Who are RansomHouse's previous victims?
Why is the Trellix source-code breach significant for UK security?
Background
RansomHouse is a ransomware-as-a-service (RaaS) operation that emerged in 2022 targeting large enterprises across critical sectors. On 17 April 2026, the group accessed part of Trellix's source-code repository, with Trellix disclosing the breach publicly on 8 May — a 21-day intrusion-to-disclosure gap. No data has been released publicly.
RansomHouse distinguishes itself from conventional ransomware operators by focusing primarily on data theft and extortion rather than encryption-based disruption. The group typically exfiltrates sensitive data and threatens publication on its leak site to pressure victims into payment. Unlike many RaaS operations, RansomHouse has claimed not to deploy encryptors directly but instead relies on affiliated access brokers or leverages existing vulnerabilities.
The Trellix compromise is operationally significant because Trellix produces security software used by UK Government departments and CNI operators. Source code access could reveal detection signatures, sensor blind spots, or undisclosed vulnerabilities in a product used by the targets RansomHouse and its clients typically pursue. The 21-day disclosure gap also places the incident outside the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill.